From b7afb10fcd466b29fd891b54a6e7c8b4532c5ea1 Mon Sep 17 00:00:00 2001
From: Christos Tsantilas <chtsanti@users.sourceforge.net>
Date: Fri, 30 Dec 2016 21:40:21 +1300
Subject: [PATCH] Bug 4599 pt4: Disable RSA weak ephemeral key exchange for
 OpenSSL-1.1

From OpenSSL  changeLog:
     Remove support for all 40 and 56 bit ciphers.  This includes all the export
     ciphers who are no longer supported and drops support the ephemeral RSA key
     exchange. The LOW ciphers currently doesn't have any ciphers in it.
     [Kurt Roeckx]

OpenSSL 1.1.0  drops EXPORT ciphers and ephemeral RSA. The ssl_temp_rsa_cb used
here. The OpenSSL manual for this function is:
  https://wiki.openssl.org/index.php/Manual:SSL_CTX_set_tmp_rsa_callback(3)
---
 src/ssl/support.cc | 18 +++++++++++++-----
 1 file changed, 13 insertions(+), 5 deletions(-)

diff --git a/src/ssl/support.cc b/src/ssl/support.cc
index b0d17f88c5..17cb7f8fb7 100644
--- a/src/ssl/support.cc
+++ b/src/ssl/support.cc
@@ -96,7 +96,7 @@ ssl_ask_password(SSL_CTX * context, const char * prompt)
     }
 }
 
-/// \ingroup ServerProtocolSSLInternal
+#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
 static RSA *
 ssl_temp_rsa_cb(SSL * ssl, int anInt, int keylen)
 {
@@ -146,6 +146,16 @@ ssl_temp_rsa_cb(SSL * ssl, int anInt, int keylen)
 
     return rsa;
 }
+#endif
+
+static void
+maybeSetupRsaCallback(Security::ContextPointer &ctx)
+{
+#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
+    debugs(83, 9, "Setting RSA key generation callback.");
+    SSL_CTX_set_tmp_rsa_callback(ctx.get(), ssl_temp_rsa_cb);
+#endif
+}
 
 int Ssl::asn1timeToString(ASN1_TIME *tm, char *buf, int len)
 {
@@ -523,8 +533,7 @@ configureSslContext(Security::ContextPointer &ctx, AnyP::PortCfg &port)
         }
     }
 
-    debugs(83, 9, "Setting RSA key generation callback.");
-    SSL_CTX_set_tmp_rsa_callback(ctx.get(), ssl_temp_rsa_cb);
+    maybeSetupRsaCallback(ctx);
 
     port.secure.updateContextEecdh(ctx);
     port.secure.updateContextCa(ctx);
@@ -676,8 +685,7 @@ Ssl::InitClientContext(Security::ContextPointer &ctx, Security::PeerOptions &pee
         }
     }
 
-    debugs(83, 9, "Setting RSA key generation callback.");
-    SSL_CTX_set_tmp_rsa_callback(ctx.get(), ssl_temp_rsa_cb);
+    maybeSetupRsaCallback(ctx);
 
     if (fl & SSL_FLAG_DONT_VERIFY_PEER) {
         debugs(83, 2, "NOTICE: Peer certificates are not verified for validity!");
-- 
2.47.2